ASM violate_details construction explained

Question

We send the ASM log to a 3rd party SIEM.  I could not find a document explaining the detail of the XML variable "violate_details".
The parameter name &amp; value are Base64 encoded.
Does anyone has any clue ?
e.g.:

0
what does 0 means here
or
048600240b20048a-c002000000000000
0000000000200000-0000000000000000
What do these values represent
or
600000063
What is this sig_id ?  Attack Signature does not exist

e.g.:

`048600240b20048a-c0020000000000001c86f2ffebbf6fea-c1120000000000000000000000200000-00000000000000000000000000000000-000000000000000042VIOL_ATTACK_SIGNATURErequest2000000747cjogNDVlYTIwN2Q3YTJiNjhjNDk1ODJkMmQyMmFkZjk1M2FhZHN8YTozOntzOjM6Im51bSI7czoyMDc6IiovIHNlbGVjdCAxLDB4MjcyMDc1NmU2OTZmNmUyZjJhLDMsNCw1LDYsNyw4LDB4N2IyNDdiMjQ0ODdhNmM2YzYxNjc=60102000023137IjtzOjIwNzoiKi8gc2VsZWN0IDEsMHgyNzIwNzU2ZTY5NmY2ZTJmMmEsMyw0LDUsNiw3LDgsMHg3YjI0N2IyNDQ4N2E2YzZjNjE2NzYxMjc1ZDNiNjU3NjYxNmMyZjJhMmEyZjI4NjI2MTczNjUzNjM0NWY2NDY1NjM2ZjY0NjU=11272000023117ZWEyMDdkN2EyYjY4YzQ5NTgyZDJkMjJhZGY5NTNhYWRzfGE6Mzp7czozOiJudW0iO3M6MjA3OiIqLyBzZWxlY3QgMSwweDI3MjA3NTZlNjk2ZjZlMmYyYSwzLDQsNSw2LDcsOCwweDdiMjQ3YjI0NDg3YTZjNmM2MTY3NjEyNzU=59112000025517MzYyNDc0NjZlNTk1NjMwNzA0Zjc3M2QzZDI3MjkyOTNiMmYyZjdkN2QsMC0tIjtzOjI6ImlkIjtzOjk6IicgdW5pb24vKiI7czo0OiJuYW1lIjtzOjM6ImFkcyI7fTQ1ZWEyMDdkN2EyYjY4YzQ5NTgyZDJkMjJhZGY5NTNhDQo=61742VIOL_ATTACK_SIGNATUREparameterglobalaHpsbGFnYQ==ZXZhbC8qKi8oYmFzZTY0X2RlY29kZSgkX1BPU1RbZF0pKTtlY2hvIEh6bGxhZ2FSQ0VUZXN0T0s7ZXhpdDs=006000000637aHpsbGFnYT1ldmFsKGJhc2U2NF9kZWNvZGUoJF9QT1NUW2RdKSk7ZWNobyBIemxsYWdhUkNFVGVzdE9LO2V4aXQ7852000013247aHpsbGFnYT1ldmFsKGJhc2U2NF9kZWNvZGUoJF9QT1NUW2RdKSk7ZWNobyBIemxsYWdhUkNFVGVzdE9LO2V4aXQ78542VIOL_ATTACK_SIGNATUREparameterglobalaHpsbGFnYQ==ZXZhbC8qKi8oYmFzZTY0X2RlY29kZSgkX1BPU1RbZF0pKTtlY2hvIEh6bGxhZ2FSQ0VUZXN0T0s7ZXhpdDs=006000000637aHpsbGFnYT1ldmFsLyoqLyhiYXNlNjRfZGVjb2RlKCRfUE9TVFtkXSkpO2VjaG8gSHpsbGFnYVJDRVRlc3RPSztleGl0Ow==892000013247aHpsbGFnYT1ldmFsLyoqLyhiYXNlNjRfZGVjb2RlKCRfUE9TVFtkXSkpO2VjaG8gSHpsbGFnYVJDRVRlc3RPSztleGl0Ow==8939VIOL_FILETYPEcGhw90169

samstep · Answer

The problem seem to be in the SIEM and its format. To assist the investigation it is best to use SupportID to search for the request which triggered the violation in F5 ASM WEB GUI and compare with the one logged by SIEM

Forum Discussion

ASM violate_details construction explained

Recent Discussions

How to implement LTM forward proxy client to determine the diversion pool based on the domain name

FTP PASV mode to Extended Passive mode

Oracle JDBC SSL Termination failing on F5

APM for banner and cert

An Irule for Client Ssl Profile that Allows Unassigned TLS Extension Values (17516)

Related Content

DevCentral Community Ranking Explained

HTTP Explicit Proxy Explained in Plain English

TCP Internals: 3-way Handshake and Sequence Numbers Explained

TLS Caching Explained on BIG-IP

SSL Forward Proxy Explained using Wireshark

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS